Bitcoin Core  24.1.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013-2015 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_RECOVERY_TESTS_H
8 #define SECP256K1_MODULE_RECOVERY_TESTS_H
9 
10 static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
11  (void) msg32;
12  (void) key32;
13  (void) algo16;
14  (void) data;
15 
16  /* On the first run, return 0 to force a second run */
17  if (counter == 0) {
18  memset(nonce32, 0, 32);
19  return 1;
20  }
21  /* On the second run, return an overflow to force a third run */
22  if (counter == 1) {
23  memset(nonce32, 0xff, 32);
24  return 1;
25  }
26  /* On the next run, return a valid nonce, but flip a coin as to whether or not to fail signing. */
27  memset(nonce32, 1, 32);
28  return secp256k1_testrand_bits(1);
29 }
30 
31 void test_ecdsa_recovery_api(void) {
32  /* Setup contexts that just count errors */
33  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
34  secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
35  secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
36  secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
37  secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_no_precomp);
38  secp256k1_pubkey pubkey;
39  secp256k1_pubkey recpubkey;
40  secp256k1_ecdsa_signature normal_sig;
41  secp256k1_ecdsa_recoverable_signature recsig;
42  unsigned char privkey[32] = { 1 };
43  unsigned char message[32] = { 2 };
44  int32_t ecount = 0;
45  int recid = 0;
46  unsigned char sig[74];
47  unsigned char zero_privkey[32] = { 0 };
48  unsigned char over_privkey[32] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
49  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
50  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
51  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
52 
53  secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
54  secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
55  secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
56  secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount);
57  secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
58  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
59  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
60  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
61  secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
62  secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
63 
64  /* Construct and verify corresponding public key. */
65  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
66  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
67 
68  /* Check bad contexts and NULLs for signing */
69  ecount = 0;
70  CHECK(secp256k1_ecdsa_sign_recoverable(none, &recsig, message, privkey, NULL, NULL) == 1);
71  CHECK(ecount == 0);
72  CHECK(secp256k1_ecdsa_sign_recoverable(sign, &recsig, message, privkey, NULL, NULL) == 1);
73  CHECK(ecount == 0);
74  CHECK(secp256k1_ecdsa_sign_recoverable(vrfy, &recsig, message, privkey, NULL, NULL) == 1);
75  CHECK(ecount == 0);
76  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
77  CHECK(ecount == 0);
78  CHECK(secp256k1_ecdsa_sign_recoverable(both, NULL, message, privkey, NULL, NULL) == 0);
79  CHECK(ecount == 1);
80  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, NULL, privkey, NULL, NULL) == 0);
81  CHECK(ecount == 2);
82  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, NULL, NULL, NULL) == 0);
83  CHECK(ecount == 3);
84  CHECK(secp256k1_ecdsa_sign_recoverable(sttc, &recsig, message, privkey, NULL, NULL) == 0);
85  CHECK(ecount == 4);
86  /* This will fail or succeed randomly, and in either case will not ARG_CHECK failure */
87  secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, recovery_test_nonce_function, NULL);
88  CHECK(ecount == 4);
89  /* These will all fail, but not in ARG_CHECK way */
90  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, zero_privkey, NULL, NULL) == 0);
91  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, over_privkey, NULL, NULL) == 0);
92  /* This one will succeed. */
93  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
94  CHECK(ecount == 4);
95 
96  /* Check signing with a goofy nonce function */
97 
98  /* Check bad contexts and NULLs for recovery */
99  ecount = 0;
100  CHECK(secp256k1_ecdsa_recover(none, &recpubkey, &recsig, message) == 1);
101  CHECK(ecount == 0);
102  CHECK(secp256k1_ecdsa_recover(sign, &recpubkey, &recsig, message) == 1);
103  CHECK(ecount == 0);
104  CHECK(secp256k1_ecdsa_recover(vrfy, &recpubkey, &recsig, message) == 1);
105  CHECK(ecount == 0);
106  CHECK(secp256k1_ecdsa_recover(both, &recpubkey, &recsig, message) == 1);
107  CHECK(ecount == 0);
108  CHECK(secp256k1_ecdsa_recover(both, NULL, &recsig, message) == 0);
109  CHECK(ecount == 1);
110  CHECK(secp256k1_ecdsa_recover(both, &recpubkey, NULL, message) == 0);
111  CHECK(ecount == 2);
112  CHECK(secp256k1_ecdsa_recover(both, &recpubkey, &recsig, NULL) == 0);
113  CHECK(ecount == 3);
114 
115  /* Check NULLs for conversion */
116  CHECK(secp256k1_ecdsa_sign(both, &normal_sig, message, privkey, NULL, NULL) == 1);
117  ecount = 0;
118  CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, NULL, &recsig) == 0);
119  CHECK(ecount == 1);
120  CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, &normal_sig, NULL) == 0);
121  CHECK(ecount == 2);
122  CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, &normal_sig, &recsig) == 1);
123 
124  /* Check NULLs for de/serialization */
125  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
126  ecount = 0;
127  CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, NULL, &recid, &recsig) == 0);
128  CHECK(ecount == 1);
129  CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, NULL, &recsig) == 0);
130  CHECK(ecount == 2);
131  CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, NULL) == 0);
132  CHECK(ecount == 3);
133  CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, &recsig) == 1);
134 
135  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, NULL, sig, recid) == 0);
136  CHECK(ecount == 4);
137  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, NULL, recid) == 0);
138  CHECK(ecount == 5);
139  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, -1) == 0);
140  CHECK(ecount == 6);
141  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, 5) == 0);
142  CHECK(ecount == 7);
143  /* overflow in signature will fail but not affect ecount */
144  memcpy(sig, over_privkey, 32);
145  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, recid) == 0);
146  CHECK(ecount == 7);
147 
148  /* cleanup */
149  secp256k1_context_destroy(none);
150  secp256k1_context_destroy(sign);
151  secp256k1_context_destroy(vrfy);
152  secp256k1_context_destroy(both);
153  secp256k1_context_destroy(sttc);
154 }
155 
156 void test_ecdsa_recovery_end_to_end(void) {
157  unsigned char extra[32] = {0x00};
158  unsigned char privkey[32];
159  unsigned char message[32];
160  secp256k1_ecdsa_signature signature[5];
161  secp256k1_ecdsa_recoverable_signature rsignature[5];
162  unsigned char sig[74];
163  secp256k1_pubkey pubkey;
164  secp256k1_pubkey recpubkey;
165  int recid = 0;
166 
167  /* Generate a random key and message. */
168  {
169  secp256k1_scalar msg, key;
170  random_scalar_order_test(&msg);
171  random_scalar_order_test(&key);
172  secp256k1_scalar_get_b32(privkey, &key);
173  secp256k1_scalar_get_b32(message, &msg);
174  }
175 
176  /* Construct and verify corresponding public key. */
177  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
178  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
179 
180  /* Serialize/parse compact and verify/recover. */
181  extra[0] = 0;
182  CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[0], message, privkey, NULL, NULL) == 1);
183  CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
184  CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[4], message, privkey, NULL, NULL) == 1);
185  CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[1], message, privkey, NULL, extra) == 1);
186  extra[31] = 1;
187  CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[2], message, privkey, NULL, extra) == 1);
188  extra[31] = 0;
189  extra[0] = 1;
190  CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[3], message, privkey, NULL, extra) == 1);
191  CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
192  CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
193  CHECK(secp256k1_memcmp_var(&signature[4], &signature[0], 64) == 0);
194  CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
195  memset(&rsignature[4], 0, sizeof(rsignature[4]));
196  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
197  CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
198  CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
199  /* Parse compact (with recovery id) and recover. */
200  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
201  CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 1);
202  CHECK(secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) == 0);
203  /* Serialize/destroy/parse signature and verify again. */
204  CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
205  sig[secp256k1_testrand_bits(6)] += 1 + secp256k1_testrand_int(255);
206  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
207  CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
208  CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 0);
209  /* Recover again */
210  CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 0 ||
211  secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) != 0);
212 }
213 
214 /* Tests several edge cases. */
215 void test_ecdsa_recovery_edge_cases(void) {
216  const unsigned char msg32[32] = {
217  'T', 'h', 'i', 's', ' ', 'i', 's', ' ',
218  'a', ' ', 'v', 'e', 'r', 'y', ' ', 's',
219  'e', 'c', 'r', 'e', 't', ' ', 'm', 'e',
220  's', 's', 'a', 'g', 'e', '.', '.', '.'
221  };
222  const unsigned char sig64[64] = {
223  /* Generated by signing the above message with nonce 'This is the nonce we will use...'
224  * and secret key 0 (which is not valid), resulting in recid 1. */
225  0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
226  0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
227  0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
228  0x17, 0x9A, 0x7D, 0xD1, 0x7B, 0xD2, 0x35, 0x32,
229  0x4B, 0x1B, 0x7D, 0xF3, 0x4C, 0xE1, 0xF6, 0x8E,
230  0x69, 0x4F, 0xF6, 0xF1, 0x1A, 0xC7, 0x51, 0xDD,
231  0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86,
232  0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
233  };
234  secp256k1_pubkey pubkey;
235  /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
236  const unsigned char sigb64[64] = {
237  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
238  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
239  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
240  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
241  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
242  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
243  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
244  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
245  };
246  secp256k1_pubkey pubkeyb;
247  secp256k1_ecdsa_recoverable_signature rsig;
248  secp256k1_ecdsa_signature sig;
249  int recid;
250 
251  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 0));
252  CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
253  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 1));
254  CHECK(secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
255  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 2));
256  CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
257  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 3));
258  CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
259 
260  for (recid = 0; recid < 4; recid++) {
261  int i;
262  int recid2;
263  /* (4,4) encoded in DER. */
264  unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
265  unsigned char sigcder_zr[7] = {0x30, 0x05, 0x02, 0x00, 0x02, 0x01, 0x01};
266  unsigned char sigcder_zs[7] = {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x00};
267  unsigned char sigbderalt1[39] = {
268  0x30, 0x25, 0x02, 0x20, 0x00, 0x00, 0x00, 0x00,
269  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
270  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
271  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
272  0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
273  };
274  unsigned char sigbderalt2[39] = {
275  0x30, 0x25, 0x02, 0x01, 0x04, 0x02, 0x20, 0x00,
276  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
277  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
278  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
279  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
280  };
281  unsigned char sigbderalt3[40] = {
282  0x30, 0x26, 0x02, 0x21, 0x00, 0x00, 0x00, 0x00,
283  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
284  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
285  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
286  0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
287  };
288  unsigned char sigbderalt4[40] = {
289  0x30, 0x26, 0x02, 0x01, 0x04, 0x02, 0x21, 0x00,
290  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
291  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
292  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
293  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
294  };
295  /* (order + r,4) encoded in DER. */
296  unsigned char sigbderlong[40] = {
297  0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
298  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
299  0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
300  0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
301  0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
302  };
303  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid) == 1);
304  CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 1);
305  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
306  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 1);
307  for (recid2 = 0; recid2 < 4; recid2++) {
308  secp256k1_pubkey pubkey2b;
309  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid2) == 1);
310  CHECK(secp256k1_ecdsa_recover(ctx, &pubkey2b, &rsig, msg32) == 1);
311  /* Verifying with (order + r,4) should always fail. */
312  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderlong, sizeof(sigbderlong)) == 1);
313  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
314  }
315  /* DER parsing tests. */
316  /* Zero length r/s. */
317  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0);
318  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0);
319  /* Leading zeros. */
320  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0);
321  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0);
322  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0);
323  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0);
324  sigbderalt3[4] = 1;
325  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1);
326  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
327  sigbderalt4[7] = 1;
328  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1);
329  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
330  /* Damage signature. */
331  sigbder[7]++;
332  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
333  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
334  sigbder[7]--;
335  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, 6) == 0);
336  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder) - 1) == 0);
337  for(i = 0; i < 8; i++) {
338  int c;
339  unsigned char orig = sigbder[i];
340  /*Try every single-byte change.*/
341  for (c = 0; c < 256; c++) {
342  if (c == orig ) {
343  continue;
344  }
345  sigbder[i] = c;
346  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 0 || secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
347  }
348  sigbder[i] = orig;
349  }
350  }
351 
352  /* Test r/s equal to zero */
353  {
354  /* (1,1) encoded in DER. */
355  unsigned char sigcder[8] = {0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01};
356  unsigned char sigc64[64] = {
357  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
358  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
359  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
360  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
361  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
362  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
363  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
364  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
365  };
366  secp256k1_pubkey pubkeyc;
367  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
368  CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyc, &rsig, msg32) == 1);
369  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
370  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 1);
371  sigcder[4] = 0;
372  sigc64[31] = 0;
373  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
374  CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0);
375  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
376  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0);
377  sigcder[4] = 1;
378  sigcder[7] = 0;
379  sigc64[31] = 1;
380  sigc64[63] = 0;
381  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
382  CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0);
383  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
384  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0);
385  }
386 }
387 
388 void run_recovery_tests(void) {
389  int i;
390  for (i = 0; i < count; i++) {
391  test_ecdsa_recovery_api();
392  }
393  for (i = 0; i < 64*count; i++) {
394  test_ecdsa_recovery_end_to_end();
395  }
396  test_ecdsa_recovery_edge_cases();
397 }
398 
399 #endif /* SECP256K1_MODULE_RECOVERY_TESTS_H */
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:514
secp256k1_ecdsa_recoverable_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call...
Definition: secp256k1.c:153
test_ecdsa_recovery_end_to_end
void test_ecdsa_recovery_end_to_end(void)
Definition: tests_impl.h:156
secp256k1_ecdsa_recoverable_signature
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
Definition: secp256k1_recovery.h:24
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:202
secp256k1_ecdsa_recoverable_signature_convert
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const secp256k1_ecdsa_recoverable_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Convert a recoverable signature into a normal signature.
Definition: main_impl.h:74
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:146
recovery_test_nonce_function
static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests_impl.h:10
secp256k1_context_struct
Definition: secp256k1.c:47
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:200
secp256k1_ecdsa_recover
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:137
test_ecdsa_recovery_api
void test_ecdsa_recovery_api(void)
Definition: tests_impl.h:31
secp256k1_ecdsa_sign_recoverable
SECP256K1_API int secp256k1_ecdsa_sign_recoverable(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a recoverable ECDSA signature.
Definition: main_impl.h:123
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:551
test_ecdsa_recovery_edge_cases
void test_ecdsa_recovery_edge_cases(void)
Definition: tests_impl.h:215
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:528
ctx
static secp256k1_context * ctx
Definition: tests.c:34
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
secp256k1_ecdsa_recoverable_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in compact format (64 bytes + recovery id).
Definition: main_impl.h:60
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:162
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:319
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:199
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:128
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:111
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
secp256k1_context_no_precomp
SECP256K1_API const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:60
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:196
count
static int count
Definition: tests.c:33
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:36
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:107
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:400
run_recovery_tests
void run_recovery_tests(void)
Definition: tests_impl.h:388
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
Generated on Tue May 16 2023 12:00:00 for Bitcoin Core by   doxygen 1.8.14